Abstract

The Android ecosystem allows development of apps with relative ease through the extensive Android API. When developing the apps, security issues are often overlooked by the developers. This thesis is based on a previous work which identified 12 such Inter Component Communication (ICC) security smells that can lead to numerous security breaches in the system. A static code analysis tool based on Android Lint was developed to identify them. To further understand why some of these smells are so prominent, this thesis evaluated their appearances based on several aspects. First the influence of developers in the projects was examined. The association of developers to different apps was cross-referenced with the occurrence of smells per project and we found that for most smells the developers have a tendency to make the mistake over more than one project. We also examined how updates affect smells. The updates rarely brought a change in smells and if they did they tended to have a negative impact. We performed a manual analysis of 100 apps with the most smells. The lint-based tool was found to have a good and correct detection rate. In the next study we examined if the smells that went unreported by the tool were correctly labeled as such and the reason for not them not being detected. In most cases this was due to the relevant Android API not being used. Finally, we did a study on the location of smells in the code base. We expanded the existing linting tool to include more metadata and analyzed all the apps once more. The different smell categories tended to have a varying degree of displacement of individual smells in the code base. The average number of distinct locations grew in the order of Java package, containing class and surrounding method for most of the smells. This thesis aims to help spread awareness abut ICC security smells and thereby fundamentally reduce the attack surface in Android.